ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security logs on a professional monitoring workstation in a security operations center
Event ID 1102InformationMicrosoft-Windows-EventlogWindows

Windows Event ID 1102 – Microsoft-Windows-Eventlog: Security Log Cleared

Event ID 1102 indicates the Windows Security log has been manually cleared by an administrator or system process, triggering immediate audit trail documentation.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 1102Microsoft-Windows-Eventlog 5 methods 9 min
Event Reference

What This Event Means

Event ID 1102 represents a fundamental security audit event that Windows generates whenever the Security event log undergoes manual or automated clearing. This event serves as an immutable record of log maintenance activities and potential security incidents. The event contains critical forensic information including the Security ID (SID) of the account that performed the action, the logon ID associated with the session, and precise timestamp data.

The event structure includes several key fields: the subject security identifier, account name, account domain, and logon ID. These fields enable security analysts to trace the log clearing action back to specific user sessions and determine whether the action was authorized. Windows generates this event using the Local Security Authority (LSA) subsystem, ensuring it gets written to the Security log before any clearing operation begins.

In enterprise environments, Event ID 1102 often triggers automated security responses through SIEM systems and security monitoring tools. The event's presence indicates a significant change to the audit trail, requiring immediate attention from security teams. Organizations typically configure alerts for this event because unauthorized log clearing represents a common technique used by attackers to eliminate evidence of their activities.

Windows Server 2025 and Windows 11 24H2 introduced additional context fields in Event ID 1102, including process information and command-line details when the clearing occurs through PowerShell or other administrative tools. This enhanced logging provides security teams with more comprehensive forensic data for incident response activities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual clearing of Security log through Event Viewer by administrators
  • PowerShell commands using Clear-EventLog or wevtutil utilities
  • Automated log rotation when Security log reaches maximum size limits
  • Group Policy-driven log clearing based on organizational retention policies
  • Third-party security tools performing automated log maintenance
  • System restore operations that affect event log files
  • Malicious actors attempting to eliminate audit trails after unauthorized access
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Open Event Viewer and navigate to examine the Event ID 1102 details:

  1. Press Windows + R, type eventvwr.msc, and press Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log for Event ID 1102: Right-click SecurityFilter Current Log
  4. Enter 1102 in the Event IDs field and click OK
  5. Double-click the Event ID 1102 entry to view detailed information
  6. Review the General tab for user account, timestamp, and session details
  7. Check the Details tab for raw XML data including SID and logon information
Pro tip: The Subject fields show exactly which account cleared the logs, while the Logon ID helps correlate with other security events from the same session.
02

Query Event ID 1102 with PowerShell

Use PowerShell to retrieve and analyze Event ID 1102 occurrences:

# Get all Event ID 1102 entries from Security log
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 50

# Get detailed information with formatted output
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} | 
    Select-Object TimeCreated, Id, LevelDisplayName, Message | 
    Format-Table -AutoSize

# Extract user information from Event ID 1102
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} | 
    ForEach-Object {
        $xml = [xml]$_.ToXml()
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            UserSID = $xml.Event.EventData.Data[0].'#text'
            AccountName = $xml.Event.EventData.Data[1].'#text'
            AccountDomain = $xml.Event.EventData.Data[2].'#text'
            LogonID = $xml.Event.EventData.Data[3].'#text'
        }
    }

This PowerShell approach provides programmatic access to Event ID 1102 data for automated monitoring and reporting.

03

Correlate with Logon Events for Full Context

Investigate the complete session context by correlating Event ID 1102 with related logon events:

# First, get the Logon ID from Event ID 1102
$logClearEvent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 1
$xml = [xml]$logClearEvent.ToXml()
$logonID = $xml.Event.EventData.Data[3].'#text'

# Find corresponding logon events (4624) with the same Logon ID
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | 
    Where-Object {
        $eventXml = [xml]$_.ToXml()
        $eventXml.Event.EventData.Data | 
            Where-Object {$_.Name -eq 'TargetLogonId' -and $_.'#text' -eq $logonID}
    } | Select-Object TimeCreated, Message

# Check for any suspicious activities in the same timeframe
$timeRange = $logClearEvent.TimeCreated.AddHours(-2)
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    StartTime=$timeRange
    EndTime=$logClearEvent.TimeCreated
    Id=4625,4648,4672
} | Format-Table TimeCreated, Id, Message -AutoSize
Warning: Always investigate Event ID 1102 in context with surrounding security events to determine if the log clearing was authorized or potentially malicious.
04

Configure Advanced Auditing and Alerts

Set up comprehensive monitoring for Event ID 1102 to detect future occurrences:

  1. Enable advanced security auditing through Group Policy:
    • Open gpedit.msc (Local Group Policy Editor)
    • Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand System Audit PoliciesPolicy Change
    • Double-click Audit Policy Change and enable Success and Failure
  2. Create a scheduled task to monitor for Event ID 1102:
    # Create XML for scheduled task trigger
$taskXML = @'


  
    
      <QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[EventID=1102]]</Select></Query></QueryList>
    
  
  
    
      powershell.exe
      -Command "Send-MailMessage -To 'admin@company.com' -From 'security@company.com' -Subject 'ALERT: Security Log Cleared' -Body 'Event ID 1102 detected on $(hostname)' -SmtpServer 'mail.company.com'"
    
  

'@

# Register the scheduled task
Register-ScheduledTask -TaskName "SecurityLogClearAlert" -Xml $taskXML
05

Forensic Analysis and Log Backup Recovery

Perform advanced forensic analysis when Event ID 1102 indicates potential security incidents:

  1. Check for backed-up event logs before the clearing occurred:
    # Look for archived event log files
Get-ChildItem -Path "C:\Windows\System32\winevt\Logs\" -Filter "Archive-Security-*.evtx" | 
    Sort-Object LastWriteTime -Descending

# If backup logs exist, analyze them
$backupLog = "C:\Windows\System32\winevt\Logs\Archive-Security-2026-03-17-12-00-00-000.evtx"
if (Test-Path $backupLog) {
    Get-WinEvent -Path $backupLog -FilterHashtable @{Id=4624,4625,4648,4672} | 
        Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-1)} | 
        Format-Table TimeCreated, Id, Message -AutoSize
}
  2. Examine Windows Security log registry settings:
    # Check Security log configuration
Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" | 
    Select-Object MaxSize, Retention, AutoBackupLogFiles

# Verify log file permissions
Get-Acl "C:\Windows\System32\winevt\Logs\Security.evtx" | Format-List
  3. Review system file integrity and recent changes:
    # Check for recent system changes
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7034,7035,7036} | 
    Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-4)} | 
    Format-Table TimeCreated, Id, Message -AutoSize

# Verify critical system files
sfc /verifyonly
Pro tip: Always preserve the Event ID 1102 entry itself by exporting it immediately, as it may be the only remaining evidence of the log clearing activity.

Overview

Event ID 1102 fires whenever the Windows Security event log gets cleared, either manually through Event Viewer or programmatically via PowerShell commands. This event serves as a critical audit marker that documents when security logs are purged from the system. The event captures the user account responsible for the action, the timestamp, and the method used to clear the logs.

This event appears in the Security log itself and represents one of the most important forensic markers in Windows logging. Security teams monitor this event closely because clearing security logs can indicate legitimate maintenance activities or potentially malicious attempts to cover tracks after unauthorized access. The event generates automatically before the log clearing operation completes, ensuring the action gets documented even when all other security events are removed.

Modern Windows systems in 2026 include enhanced metadata in Event ID 1102, providing more granular details about the clearing process, including the application or service that initiated the action and any associated Group Policy settings that may have triggered automatic log rotation.

Frequently Asked Questions

What does Event ID 1102 mean and why is it important?+
Event ID 1102 indicates that the Windows Security event log has been cleared, either manually or through automated processes. This event is critically important because it represents a significant change to the audit trail. Security teams monitor this event closely because clearing security logs can indicate legitimate maintenance activities or potentially malicious attempts to cover tracks after unauthorized system access. The event captures essential forensic information including the user account responsible, timestamp, and session details.
How can I determine who cleared the Security log when Event ID 1102 appears?+
Event ID 1102 contains detailed information about who cleared the log. In Event Viewer, examine the event details to find the Subject section, which shows the Security ID (SID), Account Name, Account Domain, and Logon ID of the user who performed the action. You can also use PowerShell to extract this information programmatically by parsing the event's XML data. The Logon ID field allows you to correlate with other security events from the same user session to build a complete timeline of activities.
Is Event ID 1102 always a sign of malicious activity?+
No, Event ID 1102 is not always malicious. Legitimate reasons for security log clearing include routine maintenance by system administrators, automated log rotation when logs reach size limits, Group Policy-driven retention policies, and scheduled maintenance tasks. However, the event should always be investigated in context. Look for patterns such as clearing logs immediately after suspicious activities, clearing by unauthorized accounts, or clearing outside of normal maintenance windows. The key is understanding your organization's normal log management practices.
Can I prevent the Security log from being cleared to avoid Event ID 1102?+
While you cannot completely prevent authorized administrators from clearing the Security log, you can implement several protective measures. Configure Group Policy to restrict log clearing permissions to specific administrative accounts only. Set up real-time monitoring and alerting for Event ID 1102 occurrences. Enable log forwarding to a central SIEM system to preserve copies of security events. Configure automatic log archiving before clearing occurs. Additionally, implement the 'Manage auditing and security log' user right carefully, limiting it to only essential administrative accounts.
How should I respond when I discover an unexpected Event ID 1102 in my environment?+
When you discover an unexpected Event ID 1102, immediately begin incident response procedures. First, preserve the Event ID 1102 entry by exporting it to prevent loss. Identify the user account and session that cleared the logs using the event details. Correlate the timing with other security events to understand what activities occurred before the log clearing. Check for any backed-up or archived logs that might contain evidence of suspicious activities. Review recent logon events, privilege escalations, and system changes. If the clearing appears unauthorized, treat it as a potential security incident and engage your incident response team while preserving any remaining forensic evidence.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 1102 and related security log managementhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Event Log Management Best PracticesOfficial documentation for Windows event log utilities and management commands including wevtutil for log clearing operationshttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-1102#security-logs#audit-trail

Related Windows Events

Windows Event Viewer showing system event logs with error events on a monitoring dashboard
Event 4108
Microsoft-Windows-Eventlog
Windows EventError

Windows Event ID 4108 – Microsoft-Windows-Eventlog: Event Log Service Encountered an Error

Event ID 4108 indicates the Windows Event Log service encountered an error while processing event logs, often related to log file corruption, disk space issues, or service configuration problems.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...